Merge branch 'sh-support-mutual-tls-http-client' into 'master'

Add support for using HTTP TLS client cert See merge request gitlab-org/omnibus-gitlab!7349 Merged-by: Balasankar 'Balu' C <balasankar@gitlab.com> Approved-by: Clemens Beck <cbeck@gitlab.com> Approved-by: Andrew Patterson <apatterson@gitlab.com> Approved-by: Balasankar 'Balu' C <balasankar@gitlab.com> Reviewed-by: Clemens Beck <cbeck@gitlab.com> Co-authored-by: Stan Hu <stanhu@gmail.com>

Merge branch 'sh-support-mutual-tls-http-client' into 'master'
eeb43658 · Balasankar 'Balu' C · 27e1bed9 · 51697fdb · eeb43658 · eeb43658
Commit eeb43658 authored 1 year ago by Balasankar 'Balu' C
--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@@ -192,6 +192,11 @@ external_url 'GENERATED_EXTERNAL_URL'
 ###! request (default: 10)
 # gitlab_rails['webhook_timeout'] = 10
+### HTTP client settings
+###! This is for setting up the mutual TLS client cert and password for the certificate file.
+# gitlab_rails['http_client']['tls_client_cert_file'] = nil
+# gitlab_rails['http_client']['tls_client_cert_password'] = nil
 ### GraphQL Settings
 ###! Tells the rails application how long it has to complete a GraphQL request.
 ###! We suggest this value to be higher than the database timeout value

--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -615,6 +615,8 @@ default['gitlab']['gitlab_rails']['trusted_certs_dir'] = "/etc/gitlab/trusted-ce
 default['gitlab']['gitlab_rails']['webhook_timeout'] = nil
+default['gitlab']['gitlab_rails']['http_client'] = {}
 default['gitlab']['gitlab_rails']['graphql_timeout'] = nil
 default['gitlab']['gitlab_rails']['initial_root_password'] = nil

--- a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
@@ -110,6 +110,9 @@ production: &base
    # Number of seconds to wait for HTTP response after sending webhook HTTP POST request (default: 10)
    webhook_timeout: <%= @webhook_timeout %>
+    ## HTTP client settings
+    http_client: <%= @http_client.to_json %>
    ### GraphQL Settings
    # Tells the rails application how long it has to complete a GraphQL request.
    # We suggest this value to be higher than the database timeout value

--- a/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb
+++ b/spec/chef/cookbooks/gitlab/recipes/gitlab-rails/gitlab_yml/gitlab_spec.rb
@@ -84,6 +84,34 @@ RSpec.describe 'gitlab::gitlab-rails' do
      end
    end
+    describe 'HTTP client settings' do
+      context 'with default configuration' do
+        it 'renders gitlab.yml with empty HTTP client settings' do
+          expect(gitlab_yml[:production][:gitlab][:http_client]).to eq({})
+        end
+      end
+      context 'with mutual TLS settings configured' do
+        before do
+          stub_gitlab_rb(
+            gitlab_rails: {
+              http_client: {
+                tls_client_cert_file: '/path/to/tls_cert_file',
+                tls_client_cert_password: 'somepassword'
+              }
+            }
+          )
+        end
+        it 'renders gitlab.yml with HTTP client settings' do
+          expect(gitlab_yml[:production][:gitlab][:http_client]).to eq(
+            tls_client_cert_file: '/path/to/tls_cert_file',
+            tls_client_cert_password: 'somepassword'
+          )
+        end
+      end
+    end
    describe 'SMIME email settings' do
      context 'with default configuration' do
        it 'renders gitlab.yml with SMIME email settings disabled' do